topic Re: XML API - Get thret ID and CVE (version 8.0) in Automation/API Discussions

XML API - Get thret ID and CVE (version 8.0)

m.molina — Thu, 13 Jul 2017 07:26:13 GMT

Hello.

Working with firewalls on version 7 with a query to the following path: xpath=/config/predefined/threats/vulnerability I was able to get an XML with CVE of every threat, but on version 8 XML doen't contain associated CVE.

Are any other path to get threat ID/CVE from the API?

Thanks

Re: XML API - Get thret ID and CVE (version 8.0)

btorresgil — Fri, 14 Jul 2017 16:47:41 GMT

Hello,

I confirmed this on my firewalls, PAN-OS 7.1 shows threat metadata and PAN-OS 8.0 only has the threat name. Looking into it and will let you know. Thanks for your patience.

Thanks,

-Brian

Re: XML API - Get thret ID and CVE (version 8.0)

btorresgil — Fri, 14 Jul 2017 19:20:56 GMT

This has been opened as issue PAN-81194. We'll investigate and if it turns out to be a bug we will push a fix into a future 8.0.x maintenance release.

Unfortunately, I don't know of a workaround at this time, but will let you know if I come up with anything.

Thanks for your help!

Re: XML API - Get thret ID and CVE (version 8.0)

nigelswift — Thu, 27 Jul 2017 16:56:46 GMT

Looks like this just got fixed today in the PAN-OS 8.0.4 release (PAN-76042). Good work, @btorresgil.

Re: XML API - Get thret ID and CVE (version 8.0)

btorresgil — Thu, 27 Jul 2017 18:42:23 GMT

Glad to help, and thanks for your patience.

Re: XML API - Get thret ID and CVE (version 8.0)

m.molina — Wed, 23 Aug 2017 10:53:55 GMT

Hello again.

On version 8.0.4 I continue having the same problem:

How can I solve it?

Thanks

Re: XML API - Get thret ID and CVE (version 8.0)

spiromruen — Tue, 19 Sep 2017 03:54:34 GMT

PAN-OS 8.0 depletes CVE information from old XPATH

For 8.0.4 onward, please use new XPATH in op command.

type=op&cmd=<show><predefined><xpath>/predefined/threats/vulnerability</xpath>

Example of working output

<response status="success"><result><vulnerability>
<entry name="35931" p="yes">
<threatname>HP Data Protector OmniInet Opcode Buffer Overflow Vulnerability</threatname>
<cve xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<member>CVE-2011-1865</member>
</cve>
<category>overflow</category>
<severity>high</severity>
<affected-host>
<server>yes</server>
</affected-host>
<default-action>alert</default-action>
</entry>
....

Re: XML API - Get thret ID and CVE (version 8.0)

ddallmann — Mon, 30 Dec 2019 19:36:33 GMT

The example above is close, not sure if some of it got stripped out. This works for me on latest versions V8 and higher.

https[:]//IPADDRESS/api/?key=YOURKEY&type=op&cmd=<show><predefined><xpath>/predefined/threats/vulnerability</xpath></predefined></show>